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October  1997 


The  Legislative  Audit  Committee 
of  the  Montana  State  Legislature: 

This  is  our  EDP  audit  of  controls  relating  to  the  state's  centralized  data  processing 
systems  operated  by  the  Department  of  Administration.  We  reviewed  the  department's 
general  and  application  controls  over  State  Payroll,  Statewide  Budgeting  and 
Accounting  System  (SBAS),  and  the  Warrant  Writer  system.  This  report  contains 
recommendations  for  improving  controls  related  to  those  systems.  Written  responses  to 
our  audit  recommendations  are  included  in  the  back  of  the  report. 

We  thank  the  Department  of  Administration  for  their  cooperation  and  assistance 
throughout  the  audit. 

Respectfully  submitted. 


-A- 


Scott  A.  Seacat 
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Report  Summary 


Introduction 


This  Electronic  Data  Processing  (EDP)  audit  includes  a  general 
controls  review  of  the  state's  mainframe  computer,  and  application 
reviews  of  State  Payroll,  Statewide  Budget  and  Accounting  System 
(SBAS),  and  Warrant  Writer. 


General  Controls 


The  Department  of  Administration's  Information  Processing  Facility 
(IPF)  is  located  in  the  Mitchell  Building  in  Helena.  The  mission  of 
IPF  staff  is  to  provide  reliable,  effective,  and  efficient  centralized 
computing  services  to  state  agencies  and  other  government  units  24 
hours  per  day,  seven  days  a  week.  They  provide  computing  opera- 
tions support  services,  and  develop  training  curriculum.  They  also 
support  state  agencies  in  the  implementation  and  use  of  information 
technology  by  providing  application  system  design,  development,  and 
technical  support  services.  IPF  supports  the  mainframe  environment 
plus  the  mid-tier  and  personal  computing  enviroimients.  They  also 
provide  central  coordination  for  Year  2000  problem  resolution. 


General  controls  are  developed  by  management  to  ensure  central 
computer  operations  function  as  intended  and  provide  effective  data 
processing  service  to  users.  Overall  general  controls  specific  to 
mainframe  processing  services  provided  controlled  application 
processing  during  fiscal  year  1996-97. 


Application  Controls 


The  Department  of  Administration  operates  the  SBAS,  State  Payroll, 
and  Warrant  Writer  systems.  These  systems  provide  centralized 
accounting,  payroll,  and  warrant  writing  functions  to  state  agencies 
and  units  of  the  Montana  University  System.  SBAS  is  an  accounting 
system  which  provides  financial  reporting  of  agency  transactions. 
State  Payroll  processes  payroll  for  state  agencies  and  units  of  the 
Montana  University  System.  Warrant  Writer  creates  state  warrants 
from  agency  submitted  claims  processed  through  SBAS. 


Overall  application  controls  ensure  SBAS,  State  Payroll,  and  Warrant 
Writer  transactions  are  input  completely  and  accurately,  are  processed 
as  intended,  and  resulting  output  is  accurate  and  distributed  to  only 
authorized  personnel.  Audit  issues  address  areas  where  the  depart- 
ment could  improve  internal  procedures  and  operations  to  ensure 
continued  reliability  over  SBAS  transaction  processing. 
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Introduction 


This  is  our  annual  electronic  data  processing  (EDP)  audit  of  the 
state's  centralized  data  processing  systems  operated  by  the  Depart- 
ment of  Administration.  The  audit  included  central  controls  over  the 
state's  mainframe  computer  and  three  computer  based  applications: 
State  Payroll,  Warrant  Writer,  and  the  Statewide  Budgeting  and 
Accounting  System  (SBAS).  The  controls  identified  and  tested  can 
be  relied  upon  by  financial-compliance,  performance,  and  EDP 
auditors  for  the  fiscal  year  1996-97  audit  period. 


Organization  of  Report 


The  report  contains  three  chapters.  Chapter  I  contains  the  introduc- 
tion, background  information,  and  audit  objectives.  Chapter  II 
discusses  our  review  of  general  controls  applicable  to  the  Depart- 
ment of  Administration's  Information  Processing  Facility.  Chapter 
III  includes  our  application  review  of  the  department's  SBAS,  State 
Payroll,  and  Warrant  Writer  computer  applications. 


EDP  General  and 
Application  Controls 


EDP  controls  provide  assurance  over  the  accuracy,  reliability,  and 
integrity  of  the  information  processed.  From  the  audit  work,  a 
determination  is  made  as  to  whether  controls  exist  and  are  operating 
as  designed.  A  general  control  review  provides  information  about 
the  environment  in  which  the  computer  systems  operate  and  includes 
an  examination  of  the  controls  in  place  over  the  computer  applica- 
tions. Applications  must  operate  within  the  general  control  environ- 
ment for  reliance  to  be  placed  on  them. 


Application  controls  are  specific  to  a  given  application  or  set  of 
programs  that  accomplish  a  specific  objective.  An  application 
controls  review  consists  of  an  examination  of  controls  over  input, 
processing  and  output. 


Audit  Objectives 


The  objectives  of  this  audit  were  to  determine  if  general  and  applica- 
tion controls  over  the  SBAS,  State  Payroll,  and  Warrant  Writer 
applications  are  adequate  to  ensure  accuracy  and  reliability  of  the 
data  processed  by  those  applications.  Based  on  the  results  of  this 
audit,  financial-compliance,  performance,  and  EDP  auditors  can  rely 
on  the  audited  controls  and  reduce  their  testing  accordingly. 
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Audit  Scope  and 
Methodology 


The  audit  was  conducted  in  accordance  with  generally  accepted 
government  auditing  standards.  We  compared  existing  general  and 
application  controls  against  criteria  established  by  the  American 
Institute  of  Certified  Public  Accountants  (AICPA),  United  States 
General  Accounting  Office  (GAO),  and  the  EDP  industry. 


We  reviewed  the  Department  of  Administration's  general  controls 
related  to  the  state  mainframe  environment.  We  interviewed 
department  persoimel  to  gain  an  understanding  of  the  hardware  and 
software  environment  at  the  Department  of  Administration.  We  also 
examined  documentation  to  supplement  and  confirm  information 
obtained  through  interviews. 

We  examined  procedures  within  the  mainframe  environment  which 
ensure  computer  processing  activities  are  controlled.  For  example, 
we  determined  if  mainframe  equipment  is  maintained  in  a  secured 
area  and  access  is  limited  to  authorized  personnel.  The  department 
provides  data  entry  and  processing  services  to  state  agencies.  We 
reviewed  department  procedures  which  ensure  data  processing  is 
completed  per  agency  authorization. 

We  conducted  application  reviews  over  State  Payroll,  Warrant 
Writer,  and  SB  AS.  We  interviewed  employees  of  the  Department  of 
Administration  to  evaluate  policies  and  procedures.  We  reviewed 
input,  processing,  and  output  controls  for  these  systems.  We  also 
reviewed  supporting  documentation  to  determine  if  controls  over 
data  are  effective  as  well  as  adequate  to  ensure  the  accuracy  of  data 
during  processing  phases. 

Controls  over  centralized  operations  are  supplemented  by  controls 
established  at  user  agencies.  We  did  not  review  controls  established 
by  user  agencies. 

This  report  contains  four  recommendations  to  the  department.  Areas 
of  concern  deemed  not  to  have  a  significant  effect  on  the  control 
environment  are  not  included  in  this  report,  but  have  been  discussed 
with  management. 
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ComDliance  ^^  determined  the  Department  of  Administration  to  be  in 

compliance  with  applicable  laws,  rules  and  state  policy,  as  tested. 


Prior  Audit  ^^  prior  audit  report  for  fiscal  year  1995-96  included  three 

Recommendations  recommendations  applicable  to  the  Department  of  Administration. 

The  department  concurred  with  each  recommendation.  The 
department  implemented  all  three  recommendations. 
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Introduction 


The  department's  Information  Processing  Facility  (IPF)  is  located  in 
the  Mitchell  Building  in  Helena  and  is  administered  by  the  depart- 
ment's Information  Services  Division  (ISD).  State  employees 
process  application  programs  and  data  stored  on  the  mainframe 
through  personal  computers  and  terminals  located  across  the  state. 
This  chapter  discusses  our  review  of  management's  operating 
procedures  and  controls  which  ensure  continuous,  reliable,  and 
accurate  mainframe  data  processing  services. 


Conclusion:  General 
Controls  Provide  Controlled 
Application  Processing  for 
Fiscal  Year  1996-97 


Overall  general  controls  specific  to  mainframe  processing  services 
provided  controlled  application  processing  during  fiscal  year  1996- 
97. 


Physical  Security 


Physical  security  controls  provide  security  against  accidental  loss  or 
destruction  of  data  and  program  files  and  equipment,  and  ensure 
continuous  operation  of  application  processing  functions.  Physical 
security  controls  include:  safeguarding  of  files,  programs  and 
documentation;  physical  access  over  the  computer  facility;  and  a 
plan  or  method  to  ensure  continuity  of  operations  following  major 
destruction  of  files  or  hardware  breakdown. 


We  reviewed  existing  physical  controls  at  the  Information  Processing 
Facility.  The  department  maintains  computer  hardware  on  a  raised 
floor.  Smoke  alarms  function  properly.  Air  conditioning  maintains 
controlled  computer  room  temperature.  The  power  supply  meets 
computing  equipment  needs. 

The  department  continues  to  improve  its  ability  to  recover  the  Infor- 
mation Processing  Facility  following  a  disaster.  The  following 
section  discusses  the  department's  disaster  recovery  plan  and  imple- 
mentation status  during  fiscal  year  1996-97. 
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Disaster  Recovery  - 
Background 


The  department  received  funding  from  the  1991  Legislature  to 
design  and  implement  a  contingency  plan,  which  included  a  "hotsite" 
and  the  appropriate  backup  equipment.   A  hotsite  agreement 
provides  ISD  an  alternative  location  and  equipment  necessary  to 
recover  mainframe  computer  operations.  In  April  1997,  ISD 
renewed  a  five  year  contract  for  a  backup  hotsite  with  Weyerhaeuser 
Information  Systems  in  Federal  Way,  Washington.  The  contract 
provides  for  annual  on-site  recovery  testing  of  the  central  mainframe 
operating  system  and  agency-owned  applications. 


During  fiscal  year  1996-97  ISD  finalized  a  recovery  plan  which 
defines  ISD  personnel  responsibilities,  hardware  and  software 
requirements,  and  mainframe  operating  system  recovery  procedures. 
ISD  conducted  semi-aimual  recovery  tests  in  November  1996  and 
May  1997. 


Ongoing  Recovery  Plans 


ISD  continues  to  work  with  interested  state  agencies  to  test  recovery 
of  agency-owned  applications  and  verify  recovery  procedures  are 
reliable.  Although  ISD  can  recover  agency  applications  and  provide 
mainframe  connection  capabilities  for  agency-owned  terminals,  ISD 
cannot  define  agency  application  recovery  priorities  or  personnel 
responsibilities.  ISD  provides  guidance  to  state  agencies  for  docu- 
menting agency  application  recovery  procedures  within  the  plan. 


Disaster  recovery  planning  requires  ongoing  preparation.  By 
establishing  documented  procedures,  ISD  significantly  improves  its 
ability  to  recover  mainframe  computing  operations  following  a 
disaster.  We  will  continue  to  review  the  status  of  ISD's  disaster 
recovery  plan. 


Job  Scheduler  Access 
Should  be  Controlled 


One  of  the  services  provided  to  agencies  by  ISD  is  input/output  (I/O) 
control.  Under  this  function,  ISD  personnel  submit  scheduled  batch 
jobs  for  nightly  processing.  The  I/O  controller  ensures  jobs  were 
submitted  as  scheduled,  they  are  coordinated  with  related  jobs,  and 
they  run  completely  and  without  error. 
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In  fiscal  year  1997,  much  of  the  I/O  function  was  automated  in  a 
program  called  "Job  Scheduler."  Using  Job  Scheduler,  recurring 
jobs  can  be  scheduled  to  run  at  particular  times,  days  of  the  week. 
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month  or  year.  Where  jobs  are  inter-related.  Job  Scheduler  can 
prevent  a  job  from  starting  until  another  job  has  completed.  It  will 
also  detect  errors  in  processing,  and  notify  the  computer  operator  of 
the  problems. 

Submission  of  batch  jobs  may  be  very  critical  to  the  operations  of 
the  agencies.  Therefore,  control  over  the  access  to  Job  Scheduler, 
and  the  programs  contained  therein,  is  critical.  Access  is  given  to 
personnel  through  an  "access  authorization"  form,  which  is  reviewed 
and  approved  by  agency  management  prior  to  activating  the  access. 

We  found  the  authorization  forms  are  being  used  by  ISD,  and  are  on 
file  for  many  of  the  users  widi  access  to  Job  Scheduler.  However, 
we  also  found  several  users  with  critical  (write  and/or  delete)  access 
that  did  not  have  authorization  forms  on  file.  To  simplify  the 
process  of  activating  access,  the  security  officer  gave  access  to 
groups  of  people,  rather  than  specific  individuals.  For  instance, 
seven  contract  programmers  submitted  authorized  request  forms  for 
critical  level  access  to  Job  Scheduler  programs.  Access  was  given  to 
the  contract  progranmier  group  as  a  whole.  This  resulted  in  17 
separate  users  with  access,  while  only  seven  had  authorization. 

Unauthorized  access  to  Job  Scheduler  programs  could  result  in 
inappropriate  changes  to  critical  jobs  on  the  system.  This  could 
cause  production  errors  and/or  delays.  The  Job  Scheduler  security 
officer  should  ensure  all  individuals  widi  access  to  the  programs  are 
authorized  through  the  use  of  individual  authorization  forms. 

Recommendation  #1 

We  recommend  the  department  ensure  only  authorized 

individuals  have  access  to  Job  Scheduler. 
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The  Department  of  Administration  operates  the  Statewide  Budgeting 
and  Accounting  System  (SBAS),  State  Payroll,  and  Warrant  Writer 
systems.  These  systems  provide  centralized  accounting,  payroll,  and 
warrant  writing  functions  for  state  agencies  and  units  of  the  Montana 
University  System.  We  reviewed  application  controls  over  these 
systems  to  ensure  the  systems  processed  information  as  intended 
during  fiscal  year  1996-97. 


Statewide  Budgeting  and 
Accounting  System 


SBAS  provides  uniform  accounting  and  reporting  for  all  state 
agencies  by  showing  receipt,  use,  and  disposition  of  public  money 
and  property  in  accordance  with  generally  accepted  accounting 
principles.  SBAS  also  provides  budgetary  control  data  used  for 
agency  management  decisions. 


SBAS  is  a  combination  of  on-line  entry  and  batch  update.  State 
agencies  input  transactions  to  the  SBAS  database.  SBAS  edits  check 
the  data  to  ensure  validity.  If  a  transaction  does  not  pass  an  edit,  it 
will  be  rejected  from  processing  and  may  require  correction.  Trans- 
actions which  pass  all  edits  are  processed  and  posted  to  the  SBAS 
database. 


Conclusion:  SBAS 
Application  Controls 
Effective  and  Adequate  for 
Fiscal  Year  1996-97 


We  reviewed  input,  processing,  and  output  controls  over  SBAS 
during  fiscal  year  1996-97.  Overall  application  controls  ensured 
SBAS  transactions  were  completely  and  accurately  processed.  The 
following  sections  discuss  areas  where  Accounting  Bureau  could 
improve  internal  procedures  and  operations  to  ensure  continued 
reliability  over  SBAS  transaction  processing. 


Inconsistent  Management 
Information 


When  an  agency  enters  a  transaction  on  SBAS,  certain  accounting 
codes,  specific  to  the  transaction,  are  also  entered.  These  accounting 
codes  identify  where  the  financial  information  will  be  accounted  for, 
such  as  a  responsibility  center  or  program,  to  provide  management 
the  information  necessary  to  control  their  operations.  SBAS  main- 
tains tables  within  the  system,  identifying  valid  accounting  codes  and 
how  the  codes  interrelate.  A  responsibility  center  (R/C)  accounts  for 
designated  financial  activity,  and  is  unique  to  an  agency.  The 
Accounting  Bureau,  of  the  Department  of  Administration,  has 
delegated  the  authority  for  state  agencies  to  change  the  interrelations 
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associated  with  their  agency-specific  R/Cs,  such  as  add,  modify,  or 
delete. 

We  determined  there  are  no  procedures  in  place  to  ensure  code 
changes  made  by  state  agencies  do  not  result  in  inconsistent 
reporting  of  financial  information  on  SBAS.  Following  are  two 
examples  of  inconsistent  reporting  of  SBAS  information. 

An  agency  changed  the  program  to  which  R/C  activity  is 
assigned.  For  example,  R/C  1  activity  originally  accounted 
for  in  program  100  is  changed  mid-year,  and  now  is  accounted 
for  in  program  200.  Since  the  agency  did  not  adjust  the 
transaction  entered  prior  to  the  change,  there  is  no  audit  trail 
accounting  for  the  move  in  financial  activity.  As  a  result,  the 
SBAS  Program  Report  summarizes  the  entire  activity  for  the 
R/C  in  program  200.  However,  the  transaction  detail  still 
shows  the  transaction  reporting  to  program  100. 

An  agency's  appropriation  authority  is  inconsistently  reported 
between  two  fiscal  year-end  SBAS  reports.  The  agency 
intended  to  reallocate  its  budget  within  R/Cs.  However,  the 
new  R/Cs  are  accounted  for  in  a  different  program.  As  a 
result,  the  Appropriation  Summary  report  identifies  the 
original  budget  allocation  and  the  Program  report  reflects  the 
allocation  between  the  two  programs.  Total  appropriation 
authority  did  not  increase.  However,  the  allocation  between 
programs  is  inconsistently  reported. 

Since  agencies  may  not  be  aware  of  the  programming  aspects  of 
SBAS,  it  is  the  department's  responsibility  to  ensure  procedures  are 
in  place  to  maintain  the  integrity  of  its  financial  reporting  system. 
If  the  department  delegates  the  authority  to  make  agency-specific 
accounting  code  changes,  at  a  minimum,  they  should  have 
procedures  in  place  to  ensure  the  appropriate  adjustments  are  also 
made.  Department  persoimel  stated  they  agree  that  the  problem 
could  be  corrected  with  programming  changes  but  are  reluctant  to 
incur  the  costs  at  this  time,  considering  the  system  will  be  replaced 
within  the  next  year  or  two.  They  stated  they  will  consider  this 
problem  in  the  design  of  the  new  system. 
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Recommendation  #2 

We  recommend  the  department  establish  procedures  to  ensure 

the  financial  activity  is  reported  in  a  consistent  manner  on  SB  AS. 


State  Payroll  System 


The  State  Payroll  System  processes  payroll  for  state  agencies  and 
selected  units  of  the  Montana  University  System.  The  system  also 
includes  personnel  and  position  control  components,  providing 
information  about  employees  or  management  information  necessary 
for  budgeting  purposes. 


The  payroll  component  of  the  State  Payroll  System  issues  and  tracks 
state  of  Montana  employees'  wage  and  benefit  payments.  Similar  to 
SB  AS,  processing  is  completed  through  a  combination  of  on-line 
entry  and  batch  update.  State  agencies  and  university  units  input 
employee  time  information,  and  the  State  Payroll  System  retrieves 
and  checks  the  data  against  edits  to  ensure  validity.  Payroll  data 
which  fails  edit  tests  is  corrected  prior  to  further  processing.  Once 
all  payroll  data  is  corrected.  State  Payroll  personnel  submit  a  job 
which  calculates  gross  pay,  deductions,  net  pay,  and  leave  and 
service  adjustments.  In  addition,  the  system  automatically  bills  state 
agencies  for  their  payroll  costs,  updates  SBAS  for  payroll 
expenditures,  and  prepares  payroll  reports. 


Conclusion:  State  Payroll 
Application  Controls 
Effective  and  Adequate  for 
Fiscal  Year  1996-97 


The  audit  was  limited  to  payroll  transactions  processed  through  the 
State  Payroll  System.  Overall  application  controls  ensured  payroll 
transactions  processed  accurately  and  completely  during  fiscal  year 
1996-97.  The  following  section  discusses  an  area  where  State 
Payroll  could  improve  internal  procedures  and  operations  to  ensure 
continued  reliability  over  payroll  transaction  processing. 


Page  11 


Chapter  III  -  Application  Controls 


Develop  a  Disaster  As  noted  on  page  6  of  this  report,  ISO  lias  developed  a  disaster 

Recovery  Plan  recovery  plan  for  the  recovery  of  the  mainframe  computer,  in  the 

event  of  a  disaster.  However,  it  is  the  agencies'  responsibility  to 
develop  their  own  recovery  procedures  for  the  individual  applica- 
tions. As  evidenced  by  the  disaster  recovery  tests  conducted  at  the 
hotsite,  ISO  has  the  ability  to  recover  the  state  payroll  application. 
However,  agency  personnel  have  indicated  specific  procedures  are 
not  documented.  A  plan  was  developed  several  years  ago,  but  is 
incomplete  and  out-of-date. 

A  disaster  recovery  plan  may  include  but  is  not  limited  to: 

An  inventory  of  current  applications,  operating  system 
programs,  telecommunications  programs  or  networks,  and 
hardware. 

An  analysis  to  determine  application  significance  and  impact  of 
loss. 

An  analysis  to  determine  application  recovery  priority. 

Selecting  a  disaster  recovery  method  depending  on  how  long 
the  organization  can  operate  without  processing,  management's 
backup  procedures,  and  cost. 

Identification,  involvement,  and  commitment  of  employees 
responsible  for  operating  applications. 

Definition  of  application  requirements  including  personnel, 
hardware,  system  support  programs,  communications,  data, 
special  forms,  etc. 

Documented  and  tested  recovery  procedures  allow  normal  operations 
to  resume  as  quickly  as  possible  following  a  disaster.  Without  a 
complete  disaster  recovery  plan  which  defines  department 
responsibilities  and  requirements,  the  depanment  may  be  unable  to 
recover  its  applications  in  a  timely  manner. 

The  department  should  define  agency  application  recovery  priorities 
and  personnel  responsibilities.  We  encourage  the  department  to 
continue  working  with  ISD  to  complete  disaster  recovery  procedures 
for  the  state  payroll  application. 
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Itecommendation  #3 

We  recommend  the  department  document  disaster  recovery 

procedures  for  the  state  payroll  application. 


Warrant  Writer  System 


The  Warrant  Writer  system  controls  creation  and  distribution  of 
most  state  warrants,  and  accounts  for  state  warrants  issued,  outstand- 
ing, and  redeemed.  The  system  creates  state  warrants  from  agency 
submitted  claims  processed  through  SB  AS. 


Conclusion:  Watrant 
Writer  Application  Controls 
Effective  and  Adequate  for 
Fiscal  Year  1996-97 


Revolving  Fund 
Reconciliation  Should  be 
Completed  Monthly 


Overall  application  controls  ensured  warrant  writer  transactions 
processed  accurately  and  completely  during  fiscal  year  1996-97. 
The  following  section  discusses  an  area  where  Warrant  Writer  could 
improve  internal  procedures  and  operations  to  ensure  continued 
reliability  over  payroll  transaction  processing. 

The  Warrant  Writing  section  processes  warrants  through  a  general 
warrant  account.  When  agencies  process  a  claim,  funds  are 
transferred  from  the  agency's  account  to  the  general  warrant 
account.  When  the  warrant  is  written  and  distributed,  funds  are 
transferred  from  the  general  warrant  account  to  the  treasury  account, 
for  payment  of  the  cashed  warrants.  Theoretically,  these  two  steps 
would  make  the  general  warrant  account  balance  to  zero  every  day. 
However,  due  to  timing,  errors,  and  other  considerations,  there  is 
always  a  balance  in  the  account.  Department  policy  requires  recon- 
ciliation of  the  general  warrant  account  to  identify  why  it  does  not 
equal  zero. 


We  determined  a  reconciliation  is  not  being  performed  each  month. 
At  the  time  of  our  audit,  the  account  reconciliation  had  not  been 
done  for  four  months.  In  addition,  the  account  had  been  out-of- 
balance  by  $14,779  since  August,  1996.  To  date,  the  difference 
remains  unresolved.  The  reconciliations  should  be  complete  after 
monthly  SBAS  transaction  reports  are  completed  to  ensure 
accounting  or  warrant  writer  errors  are  detected  and  resolved. 
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Recommendation  #4 

We  recommend  the  department: 

A.  Resolve  the  differences  between  the  Warrant  Writer  System 
and  SBAS. 

B.  Ensure  the  monthly  reconciliations  are  done  In  a  timely 
manner. 
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DEPARTMENT  OF  ADMINISTRATION 
DIRECTOR'S  OFFICE 


MARC  RACICOT,  GOVERNOR 


MITCHELL  BUILDING 


STATE  OF  MONTANA' 


(406)  444-2032 
FAX  444-2812 


PO  BOX  200101 
HELENA,  MONTANA  59620-0101 


November  4,  1997 

Scott  A.  Seacat 
Legislative  Audit  Division 
State  Capitol 
Helena,  MT    59620 


ff — 


5  1997 


Dear  Mr.  Seacat: 

We  have  reviewed  the  recommendations  in  the  Information  Processing  Facility  and 
Central  Applications  EDP  Audit  dated  October  1997.  Our  responses  follow: 

Recommendation  #1:  We  recommend  the  department  ensure  only  authorized 
individuals  have  access  to  Job  Scheduler. 

Response:    We  concur.  The  rule  that  allows  access  to  the  Job  Scheduler 
environment  was  written  to  permit  access  by  groups  to  facilitate  use  of  the  software 
during  the  training  period  conducted  by  ISD  operations.  The  rules  that  control 
individual  functions  within  the  Scheduler  environment  were  written  more  specifically  in 
accordance  with  the  authorization  forms  received  from  the  agencies.  We  will  comply 
with  this  recommendation  and  will  revise  the  Job  Scheduler  access  rules  to  ensure  only 
authorized  individuals  have  access. 

Recommendation  #2:  We  recommend  the  department  establish  procedures  to 
ensure  the  financial  activity  is  reported  in  a  consistent  manner  on  SBAS. 

Response:    We  concur  that  financial  information  should  be  reported  in  a  consistent 
manner.  The  problem  could  potentially  be  corrected  with  programming  changes  to 
SBAS.  However,  the  Department  is  reluctant  to  incur  the  cost  at  this  time  because 
SBAS  will  be  replaced  by  MTPRRIME  within  the  next  two  years.  This  problem  will  be 
considered  in  the  design  of  the  new  financial  system. 

Recommendation  #3:  We  recommend  the  department  document  disaster 
recovery  procedures  for  the  state  payroll  application. 

Response:  We  concur.  We  will  document  disaster  recovery  procedures  for  the  state 

payroll  application  as  suggested  in  the  audit  report  and  plan  to  complete  this  process  by 

April  1998. 
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Scott  A.  Seacat 
November  4,  1997 
Page  2 

Recommendation  #4:  We  recommend  the  department: 

A.  Resolve  the  differences  between  the  Warrant  Writer  System  and  SBAS. 

B.  Ensure  the  monthly  reconciliations  are  done  in  a  timely  manner. 
Response: 

A.  We  concur.  The  Department  is  working  diligently  to  resolve  the  discrepancy  that 
occurred  in  August  1996.  Another  staff  person  from  the  Management  Support 
Bureau  will  be  assigned  to  this  project  in  an  effort  to  resolve  the  discrepancy  as 
soon  as  possible. 

B.  We  concur.  The  monthly  reconciliations  fell  behind  because  of  the  time  spent 
resolving  the  discrepancy  of  August  1996.  Monthly  reconciliations  between 
SBAS  and  the  Warrant  Writer  system  are  now  complete  through  August  1997 
with  the  exception  of  the  discrepancy  noted  above  and  will  be  current  within  the 
next  two  months. 

We  appreciate  the  opportunity  to  work  with  your  staff  on  these  issues. 

Sincerely, 


LOIS  MEN^IES 
Director 
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